Malicious PDF — malware analysis report

Static analysis result for SHA-256 10f20e9e08f057f3…

MALICIOUS

PDF

4.7 KB Created: 2015-06-03 16:38:25 +03:00 Authoring application: DOMPDF
MD5: 9a9544155e4c8b19e7b90634a0bf5f49 SHA-1: 285bc93aa363bd816274b08c1a870e7679f2f97f SHA-256: 10f20e9e08f057f3418260ee5bcb4eca9f3297c06caaed8f3024a09e9c8f5181
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a heuristic firing for a large number of external links, suggesting a link farm. The document body also contains numerous URLs, reinforcing this finding. While no scripts were extracted, the embedded URLs and the nature of the link farm indicate a potential attempt to manipulate search engine rankings or distribute malicious content via these external links.

Machine Learning

  • Nyx PDF Classifier clean score 0.1457

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=2051
    • http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=584
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=538
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=1113
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=2388
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.